This is a series on the risk manager’s role in strategic planning. In this post I describe the unique and complementary functions of two risk methodologies: risk ID and assessment, and risk scenarios.

Risk Identification and Assessment Process

If you think about it, risk assessment is the opposite of defining a business plan or constructing a forecast. Instead of building one fragile model, and placing all of your hopes on it, you are subjecting that single model to critique from 1000 different perspectives. To illustrate:

Consider a multidisciplinary round-table review of draft plans. In risk facilitation, participants consider the plan or proposal through the filters of many criteria, such as risk categories, organizational values, and financial limits.

To identify risk systematically is a form of stress testing, not by inflating variables in a financial model by a given percentage, nor by running Monte Carlo simulations, but by challenging a hundred assumptions – namely, the ones that underlie each element of the plan or proposal.

Thoroughness is built into the process. You are mapping many minds, each with its rich personal expertise and unique point of view, through many “lenses”, all directed to the scrutiny of the plan. If you lead a structured discussion among the right participants, you will identify comprehensively all the critical business risks.

If you share, as appropriate, the resulting risk profile with proponents or stakeholders, and get their input on risk and mitigation, it is much easier to gain consensus on a plan for action.

Risk Scenario Analysis

Now we come to how to deal with the unpredictable and the unknown. Conventional forecasting tends to tie our fate to one picture of the future. Risk ID will lose its efficacy as time frames extend into the future and uncertainty rises dramatically. Another risk methodology is called for.

In a previous post, I talked about risk scenarios, and the value of this method to pursue robustness and resilience, similar to an all-hazards approach. Pictures of the future that are both plausible and critical serve as a litmus test of draft plans. Scenarios go beyond stress testing, because they consider structural change of the underlying relationship among future forces and influences. This enriches the planning discussion, creates possibilities, and opens up the examination of the long-term feasibility of the firm.

Enterprise Risk Management will continue to demand of risk managers support for planning objectives, including strategic risk assessment for major projects in the long term. Rigorous risk ID in a facilitated session of subject matter experts, as well as future risk scenario analysis, are two essential risk methodologies.

This is a series on the risk manager’s role in strategic planning. In parts 1/6 – 3/6, I listed risk methodologies, reviewed mission statement examples, and addressed the question “What is an environmental scan?” – all to establish context.

Here I address reasons for poor risk assessment and the importance of risk facilitation skills.

Risk Methodology

Interviews are a common method of risk ID; surveys are also popular, and economy of scale of effort, in particular, recommends them. However, these two techniques commonly encounter methodological problems that invalidate their results.

I believe one reason for the use of interviews is that senior management and executive do not see a risk identification group session as worthy of their time. Organizations beginning an Enterprise Risk Management program will administer, if not interviews, then a survey to get the so-called “top 10 risks”. What can happen is that people responding to both interview and survey questions use very different language, frames of reference, time lines and definitions of risk. The shifting assumptions are not detected when the information is collected and aggregated.

The results of such risk surveys and interviews are not very compelling, and end up on a shelf. I have posted an introductory presentation on how to do risk assessment which quotes 5 studies from 2008 – 2009 in which firms of all types lament their poor risk assessment capability. Here is a screen shot:

I wrote a piece for Canadian Underwriter coming out in September on yet more similar findings in 2010. Essentially, information collected without rigorous risk methodology is not worth the effort.

Risk identification must be done in such a wide variety of contexts. Interviews and surveys (if well designed) will continue to be useful. But in many respects, a facilitated round table of subject matter experts is preferred, and it is an important competency for risk managers.

Risk Facilitation

The benefits of a structured discussion with a measured degree of free interaction – provided you establish the context – are quite amazing. As one client remarked, “People need to hear others’ views of risk around common issues.” This is particularly helpful in contexts where you are trying to achieve consensus in complex and controversial topics. I wrote piece back in 2006 for Risk Management Magazine with a case study of the risk facilitation process.

Formal training in facilitation is good preparation, especially if the subject matter is highly controversial or emotionally charged. If you can chair a meeting and lead a group through a complex agenda, that’s a good start. The crucial difference is that you are carrying out an ordered method, and must meet its requirements.

At the beginning of this series of posts, we listed methods: business continuity and emergency planning; innovation; high quality risk ID and assessment, and risk scenarios. These activities are scarcely possible as solitary research or surveys; they require group sessions. I believe the risk practitioner can facilitate such processes, and transfer this skill to other managers to build organizational capacity.

The next post compares and contrasts two essential risk methodologies: risk ID and assessment, and future scenarios planning.

Link the two clauses by a phrase such as “leads to”; “causing’; “results in” (without using conditional terms like “might”; “may”; “could”).

State the cause as an event, or as a set of conditions.

State the effect upon the program goal, objective, or value criterion under consideration.

Identify and state the risk that lies as far upstream as is practical to manage in the chain of cause and effect.

Risk Statement Examples

context A:
Manufacturing process, using a critical fabricated aluminum part sourced from a supplier which has just been bought out.
risk statement:
Changes to management of supplier X leads to faulty weld, heat treat and QA of our special-order welded 6061-T6 aluminum part.

context B:
Private school language program, expecting foreign student contingent from a country where political unrest is imminent.
risk statement:
Communication ties severed with institutional contact Mr. X within next 3 weeks results in inability to arrange permissions, visas and travel for September cohort.

context C:
Custom web security firm plans to set up a new office in Hong Kong. They are inexperienced in international business and getting help to apply for a business license.
risk statement:
Professional services Co. XYZ prepares deficient business license application, causing delay to planned September launch.

Explanation of Risk Statements

Notice that the statements could easily have read, for example, in Context A: “Customers injured” (characterizing this as a product liability issue); or in Context B: “September students don’t show up”; and in Context C: “Office opens late.” But the offhand, short keyword approach to risk ID doesn’t serve you very well.

I identified causal events, as far upstream, so to speak, as I could, in the hope of taking action to prevent the risk before it even matures.

So in Context A, I didn’t focus on the end product failing; nor on the faulty part entering our plant. I focused on the supplier’s new management somehow compromising the weld, heat treat and QA process. Can we take steps to guarantee that process?

In Context B, it was the communications drop that was going to cause our risk to manifest. Therefore, could we look at back-up communications channels?

In Context C, there is still time to do due diligence on firm XYZ and explore options, and so build extra assurance that the Hong Kong business license application will succeed.

At the same time, by describing the effect on our plan, I have made it possible to think more clearly of alternatives to the plan and post-event mitigation (contingencies).

You can imagine a risk register of, say, 50 risks on a critical initiative. If they are all just vague keyword phrases, then their assessment and associated treatment plans will be just as vague. But if the risk statements are complete, time-specific, directly targeted to goals, and indicate upstream opportunities for prevention and mitigation – then you will have a tightly defined risk profile that you can act on.

Risk Statements vs Risk Categories

I’m creating the first draft of the exam for an upcoming Enterprise Risk Management certification, and in the text they are using, the idea of writing a cogent risk statement is not addressed. But I think it is relevant: recent years’ risk management surveys show that people have little confidence in the effectiveness of their risk methodology.

There is a distinction between a risk category and a risk statement. Many people identify risks with two-word phrases: “reputation risk”; “construction risk”, and so on. These are not risk statements, they are general rubrics within which you must specify the risk. I’ve heard of consultants presenting lists of risk categories as if they represented the sum total of identified risks. The trouble with that is, while a two-word phrase is fast and easy to say, the threat that it denotes in relation to your organization is unsaid.

Now lists of risk categories, derived from loss history in a given industry (often sourced from brokers) are undoubtedly useful to help you identify relevant risks – but you have to use them correctly. They are not a substitute either for a comprehensive risk identification exercise, nor for writing complete risk statements.

A complete risk statement, whether or not inspired by or derived from a risk category, is formulated in direct association with a task, goal, objective or value criterion in your business or organizational plan. In the context of Enterprise Risk Management, the concept of risk goes beyond potential loss due to exposure of assets to hazards. The ISO 31000 defines risk as the “effect of uncertainty on objectives”. The older AS/NZS 4360 says: “the chance of something happening that will have an impact on objectives”.

You can find further discussion, with examples of good and poor risk statements, in the prior version of the ERM Guideline I wrote for BC government (section 2.3.2, page 20). You can email me if you want to see this — the current version doesn’t have it.

In this series on risk methodology, so far I’ve covered:

How to do Risk Assessment-Establish the Context–Part 1
How to do Risk Assessment-Establish the Context–Part 2
Pitfalls in Writing the Risk Context
Using Risk Categories

The basis of sound risk methodology is to establish the context. I’ve found that if people pay attention to risk context at all, they often treat it as background information or a pro forma introduction. But it’s really a tool to ensure a rigorous and comprehensive risk assessment.

The original AZ/NZS 4360 addresses context, although mostly in connection with organization-wide implementation. The CAN/CSA-ISO 31000-10 and the accompanying Q850-10 Implementation of Risk Management – I was on the CSA technical committee – specify context for the purpose of applying the risk process.

Similarly, in the ERM Guideline that I wrote (edited since) when I was in BC Government, you’ll see Establish the Context (section 3.3). The idea is to write a short risk context statement following recommended headings. Use this more complete template for context posted in this article: Risk Assessment Template-Establish Context.

Establishing the context means to define the bounds of what you want to analyze for risk, whether a strategic or operational plan, industrial or administrative process, program, project or other management initiative. The context paper sets out the scope of the analysis and the criteria you will use to assess risk. NB: This means your work will be internally consistent, and the results defensible.

Apart from establishing scope and assumptions, there’s a second purpose to writing a context paper: it serves as an agenda to help the facilitator lead the team to identify risk in a reasonably comprehensive and ordered way.

Each instance of successful ERM implementation is unique, and really depends on interpreting principles, not a fixed format. However, a sample risk management plan is typically a copy of the process steps from a standard, or a list showing the formal elements:

Communicate and promote the program;

Select an appropriate standard;

Define the governance structure;

Create policy to apply risk management steps to the business;

Establish tools, resources and a training plan.

Although those steps come to mind, I don’t take a bureaucratic approach when I work with clients. I find people have often done their homework on the formalities, and instead need help to get the program started. Proving the risk process at the front end is a low-risk way to proceed. Let’s look at a particular case.

ERM Case Study: Camosun College

When Camosun College first called me, they were bound to implement ERM following instructions from the Board, had a project manager engaged to lead the effort, and had studied the ERM framework.

They asked: where do we start? I asked in turn: where are the most pressing challenges in your planning and operations? I wanted to identify a pilot group with whom we could try risk identification and assessment – whether at the department (operational) level or executive (strategic) level.

The project lead set up a session with the college president and the senior executive, and I facilitated the identification and assessment of risk for the college’s multi-year strategic plan. Our aim was to demonstrate the risk methodology to the executive group, and see what kind of results it would give.

We prepared the session with a fairly short, but carefully defined context paper. We reviewed the templates and criteria we would use. The project lead explained to me: ‘Edward, we like your templates, but we have changed some of the terminology to “Camosunize” them.’ I was glad, because this meant the risk management team was adapting the method to their own working culture.

The session was a team building exercise, because controversial matters found resolution, not arbitrarily, but based on their own criteria, such as strategic direction and professional values. It resulted in a comprehensive risk profile and an agreed risk mitigation blueprint, involving plans to build up certain programs, attenuate others, and take other pro-active administrative steps.

At that point, executive had no problem in mandating a roll-out to other administrative and academic departments, one-by-one, to test and improve the process gradually.

Camosun set up an exemplary Enterprise Risk Management regime within18 months. They liked the results and presented them to the Canadian Association of Community Colleges. The CFO Peter Lockie tells me he regularly gets calls to speak about Camosun’s ERM experience and share materials.

Principles of ERM Implementation

I started out by saying that successful ERM implementation depends on principles. Here are important tenets of program implementation that Camosun paid attention to:

Gain senior executive support; not through lip service, but through active participation;

Gain staff and participant support through encouraging ownership and adaptation of tools and language to suit the organizational culture;

Demonstrate value: work with participants to prove how the new management practice (i.e., risk ID and assessment) solves critical business dilemmas, builds consensus and helps them get their jobs done;

Resource the project adequately in order to support a phased implementation;

Proceed incrementally, with a low-tech approach, and allow feedback and improvement – avoid a monolithic and wholesale imposition of new system;

Integrate the new practice into existing planning and management regime as an improvement, not as an administrative burden.